nemoris 0.1.0

package/src/auth/openai-codex-oauth.js

@@ -0,0 +1,285 @@
+import { spawn } from "node:child_process";
+import { getAuthProfile, resolveAuthProfilesPath, updateAuthProfile, upsertAuthProfile } from "./auth-profiles.js";
+import { loginOpenAICodex } from "@mariozechner/pi-ai/oauth";
+
+const REFRESH_BUFFER_MS = 5 * 60 * 1000;
+const OPENAI_OAUTH_TOKEN_URL = "https://auth.openai.com/oauth/token";
+export const OPENAI_CODEX_DEFAULT_PROFILE_ID = "openai-codex:default";
+
+function spawnDetached(command, args) {
+  try {
+    const child = spawn(command, args, {
+      detached: true,
+      stdio: "ignore",
+    });
+    child.unref();
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+async function openBrowser(url) {
+  if (!url) return false;
+  if (process.platform === "darwin") {
+    return spawnDetached("open", [url]);
+  }
+  if (process.platform === "win32") {
+    return spawnDetached("cmd", ["/c", "start", "", url]);
+  }
+  return spawnDetached("xdg-open", [url]);
+}
+
+function decodeJwtPayload(token) {
+  try {
+    const parts = String(token || "").split(".");
+    if (parts.length < 2) return null;
+    const payload = parts[1]
+      .replace(/-/g, "+")
+      .replace(/_/g, "/")
+      .padEnd(Math.ceil(parts[1].length / 4) * 4, "=");
+    return JSON.parse(Buffer.from(payload, "base64").toString("utf8"));
+  } catch {
+    return null;
+  }
+}
+
+function resolveExpires(profile) {
+  if (profile?.expires === undefined || profile?.expires === null || profile?.expires === "") {
+    return null;
+  }
+  if (typeof profile.expires === "number" && Number.isFinite(profile.expires)) {
+    return profile.expires;
+  }
+  const parsed = Date.parse(profile.expires);
+  return Number.isNaN(parsed) ? null : parsed;
+}
+
+function deriveClientId(profile) {
+  if (profile?.clientId) return String(profile.clientId);
+  const payload = decodeJwtPayload(profile?.access);
+  return payload?.client_id || null;
+}
+
+function normalizeOauthCredentials(credentials) {
+  return {
+    type: "oauth",
+    provider: "openai-codex",
+    access: credentials.access,
+    refresh: credentials.refresh,
+    expires: credentials.expires,
+    accountId: credentials.accountId || null,
+    clientId: deriveClientId({ access: credentials.access }) || null,
+  };
+}
+
+export async function initiateOpenAICodexOAuthFlow({
+  profileId = OPENAI_CODEX_DEFAULT_PROFILE_ID,
+  filePath = resolveAuthProfilesPath(),
+  loginImpl = loginOpenAICodex,
+  openUrlImpl = openBrowser,
+  promptForPasteImpl = async () => "",
+  onNote = null,
+  onProgress = null,
+} = {}) {
+  if (typeof loginImpl !== "function") {
+    throw new Error("No login implementation available for OpenAI Codex OAuth.");
+  }
+
+  if (typeof onNote === "function") {
+    await onNote([
+      "Browser will open for OpenAI authentication.",
+      "If it does not open automatically, paste the URL below into your browser.",
+      "OAuth callback: localhost:1455",
+    ].join("\n"), "OpenAI OAuth");
+  }
+
+  const credentials = await loginImpl({
+    originator: "nemoris",
+    onAuth: async ({ url }) => {
+      if (typeof onProgress === "function") {
+        await onProgress(`Complete sign-in in browser...\n  ${url}`);
+      }
+      await openUrlImpl(url);
+    },
+    onPrompt: async ({ message }) => promptForPasteImpl(message || "Paste the authorization code or redirect URL"),
+    onProgress: async (message) => {
+      if (typeof onProgress === "function") {
+        await onProgress(message);
+      }
+    },
+  });
+
+  const profile = normalizeOauthCredentials(credentials);
+  upsertAuthProfile(profileId, profile, filePath);
+  return profile;
+}
+
+export function inspectOpenAICodexProfile(profile, { now = Date.now() } = {}) {
+  if (!profile || typeof profile !== "object") {
+    return { state: "profile_incomplete", reason: "missing_profile" };
+  }
+  if (profile.provider !== "openai-codex") {
+    return { state: "profile_incomplete", reason: "wrong_provider" };
+  }
+  if (profile.type !== "oauth" && profile.type !== "api_key") {
+    return { state: "profile_incomplete", reason: "unsupported_type" };
+  }
+  if (profile.type === "api_key") {
+    return profile.key
+      ? { state: "usable_token", reason: "api_key", token: profile.key }
+      : { state: "profile_incomplete", reason: "missing_api_key" };
+  }
+
+  const access = profile.access || null;
+  const refresh = profile.refresh || null;
+  const expiresAt = resolveExpires(profile);
+
+  if (!access && refresh) {
+    return { state: "refresh_needed", reason: "missing_access_token", expiresAt };
+  }
+  if (!access && !refresh) {
+    return { state: "reauth_required", reason: "missing_access_token" };
+  }
+  if (expiresAt === null) {
+    if (refresh) {
+      return { state: "refresh_needed", reason: "missing_expires", expiresAt: null };
+    }
+    return { state: "profile_incomplete", reason: "missing_expires" };
+  }
+  if (expiresAt <= now) {
+    if (refresh) {
+      return { state: "refresh_needed", reason: "expired", expiresAt };
+    }
+    return { state: "reauth_required", reason: "expired_no_refresh", expiresAt };
+  }
+  if (expiresAt - now <= REFRESH_BUFFER_MS) {
+    if (refresh) {
+      return { state: "refresh_needed", reason: "near_expiry", expiresAt };
+    }
+    return { state: "usable_token", reason: "near_expiry_without_refresh", token: access, expiresAt };
+  }
+  return { state: "usable_token", reason: "ok", token: access, expiresAt };
+}
+
+function buildRefreshBody(profile) {
+  const refresh = profile?.refresh || null;
+  if (!refresh) {
+    throw new Error("OpenAI Codex OAuth profile has no refresh token.");
+  }
+  const params = new URLSearchParams({
+    grant_type: "refresh_token",
+    refresh_token: refresh,
+  });
+  const clientId = deriveClientId(profile);
+  if (clientId) {
+    params.set("client_id", clientId);
+  }
+  return params;
+}
+
+export async function refreshOpenAICodexProfile(profile, {
+  fetchImpl = globalThis.fetch,
+  tokenUrl = process.env.NEMORIS_OPENAI_OAUTH_TOKEN_URL || OPENAI_OAUTH_TOKEN_URL,
+  now = Date.now()
+} = {}) {
+  if (profile?.type === "api_key") {
+    return profile;
+  }
+  if (!fetchImpl) {
+    throw new Error("No fetch implementation available for OpenAI Codex OAuth refresh.");
+  }
+
+  const response = await fetchImpl(tokenUrl, {
+    method: "POST",
+    headers: {
+      "content-type": "application/x-www-form-urlencoded",
+      "accept": "application/json",
+    },
+    body: buildRefreshBody(profile),
+  });
+
+  const raw = await response.text();
+  let data;
+  try {
+    data = raw ? JSON.parse(raw) : {};
+  } catch {
+    data = { error_description: raw };
+  }
+
+  if (!response.ok) {
+    const detail = data?.error_description || data?.error || raw || `HTTP ${response.status}`;
+    throw new Error(`OpenAI Codex OAuth refresh failed: ${detail}`);
+  }
+
+  const access = data?.access_token || null;
+  if (!access) {
+    throw new Error("OpenAI Codex OAuth refresh returned no access_token.");
+  }
+  const refresh = data?.refresh_token || profile.refresh || null;
+  const expiresInMs = Number(data?.expires_in || 0) > 0 ? Number(data.expires_in) * 1000 : null;
+  const nextExpires = expiresInMs ? now + expiresInMs : resolveExpires(profile);
+  if (!nextExpires) {
+    throw new Error("OpenAI Codex OAuth refresh returned no usable expiry.");
+  }
+
+  return {
+    ...profile,
+    type: "oauth",
+    provider: "openai-codex",
+    access,
+    refresh,
+    expires: nextExpires,
+    clientId: deriveClientId({ ...profile, access }) || profile.clientId || null
+  };
+}
+
+export async function resolveOpenAICodexAccess(profileId, {
+  fetchImpl = globalThis.fetch,
+  filePath = resolveAuthProfilesPath(),
+  now = Date.now()
+} = {}) {
+  const profile = getAuthProfile(profileId, filePath);
+  const inspection = inspectOpenAICodexProfile(profile, { now });
+
+  if (inspection.state === "usable_token") {
+    return {
+      status: inspection.state,
+      reason: inspection.reason,
+      token: inspection.token,
+      profile
+    };
+  }
+
+  if (inspection.state === "refresh_needed") {
+    try {
+      const refreshed = await refreshOpenAICodexProfile(profile, { fetchImpl, now });
+      updateAuthProfile(profileId, () => refreshed, filePath);
+      return {
+        status: "usable_token",
+        reason: `refreshed:${inspection.reason}`,
+        token: refreshed.access,
+        profile: refreshed
+      };
+    } catch (error) {
+      const reason = inspection.reason === "missing_expires"
+        ? "profile_incomplete"
+        : profile?.refresh
+          ? "refresh_failed"
+          : "reauth_required";
+      const wrapped = new Error(error.message);
+      wrapped.authState = reason;
+      wrapped.profileReason = inspection.reason;
+      throw wrapped;
+    }
+  }
+
+  const error = new Error(
+    inspection.reason === "missing_expires"
+      ? "OpenAI Codex OAuth profile is missing expires; re-authenticate or provide a refreshable profile."
+      : `OpenAI Codex OAuth profile is not usable (${inspection.reason}).`
+  );
+  error.authState = inspection.state;
+  error.profileReason = inspection.reason;
+  throw error;
+}